Citrix XenServer QEMU Display Geometry Resize Handling Guest-to-Host Code Execution (CTX221578)

critical Nessus Plugin ID 97948

Synopsis

The remote host is affected by a guest-to-host arbitrary code execution vulnerability.

Description

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by a guest-to-host arbitrary code execution vulnerability in the QEMU component due to a failure to immediately complete resize operations when a blank mode is synchronously selected for the next update interval. Since other console components will already be operating with the new size values before the operation is completed, an attacker within a guest can exploit this issue to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code on the host.

Solution

Apply the appropriate hotfix according to the vendor advisory.

See Also

https://support.citrix.com/article/CTX221578

Plugin Details

Severity: Critical

ID: 97948

File Name: citrix_xenserver_CTX221578.nasl

Version: 1.8

Type: local

Family: Misc.

Published: 3/24/2017

Updated: 11/13/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2016-9603

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:citrix:xenserver

Required KB Items: Host/local_checks_enabled, Settings/ParanoidReport, Host/XenServer/version

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2017

Vulnerability Publication Date: 3/14/2017

Reference Information

CVE: CVE-2016-9603

BID: 96893